Article

What is a distributed denial of service attack (DDoS)?

F-Secure
F-Secure
|
21 Jul 2022
|
5 min read

What is a distributed denial of service attack (DDoS)?

A Distributed Denial of Service (DDoS) attack is a cyber attack designed to make a computer or network resource unavailable to its intended users by over­whelming it with excessive internet traffic. Unlike a simple Denial of Service (DoS) attack, which can be executed by a single device, a DDoS attack leverages multiple compromised devices, known as a botnet, to launch a coordinated assault.

A DDoS attack is essentially a more sophisticated form of a DoS attack, intended to disrupt the normal functioning of a targeted system or network. By coming from multiple sources, DDoS attacks are more powerful and harder to stop, draining a system’s resources and making it difficult or even impossible for legitimate users to access the service.

Want a simple way to stay safe online?

F-Secure Total protects you from malware, scams, and more.

DoS attacks: definition and meaning

DoS, or Denial of Service, is a type of cyberattack designed to disrupt a target’s normal operations — often a web­site — by over­whelming it with excessive traffic. These attacks generally fall into two categories: flood attacks, which inundate the target with high traffic volumes, and attacks that aim to crash the targeted service. DoS attacks can severely hinder legitimate traffic, negatively affecting business operations and reputation.

Signs of a DoS attack include:

  • slow internet connection or poor net­work performance

  • crashing of the device or online service

  • an unusual amount of traffic to a single target

  • difficulties in accessing or using an online service, such as a web­store

A slow internet connection, crashes, or difficulty using certain services can indicate a DoS attack, though they may also have harmless explanations. For instance, a web­site might slow down or crash due to an unexpected surge in legitimate traffic. An online store, for example, is often prepared for high traffic during special sales, making performance disruptions less likely. In contrast, a DoS attack strikes without warning, catching the target web­site unprepared.

This type of attack could also be used in online gaming to gain an unfair advantage by disrupting an opponent's internet connection. In such cases, one effective way to prevent a DoS attack is by changing your IP address.

DDoS attacks: definition and significance

While a denial-of-service (DoS) attack can be carried out by a single device, a distributed denial-of-service (DDoS) attack involves multiple devices targeting the same system. As a result, DDoS attacks can over­whelm their targets with far more requests than a typical DoS attack. These attacks often target high-profile web servers, such as those of banks or payment gate­ways, to disrupt critical services. DDoS attacks achieve this scale by utilizing a botnet — a network of compromised devices working together.

What’s a botnet?

A botnet is a network of devices that have been hijacked and used in a DDoS attack. These devices are infected with malware that gives attackers control over them. During a DDoS attack, all the devices in a botnet flood the target with requests simultaneously. This over­whelms the targeted service — such as a web­site — causing it to reach its capacity and significantly hindering its performance.

Today, all kinds of devices can connect to the internet, including web­cams, home appliances, speakers, and even smart toilets. Collectively referred to as the Internet of Things (IoT), these devices offer many opportunities but also introduce vulnerabilities. When connected to the internet, IoT devices are susceptible to malware, making them potential participants in botnet-driven DDoS attacks.

One notable example of a botnet exploiting IoT devices is Mirai, responsible for one of the largest and most well-known DDoS attacks. This attack targeted major web­sites like Twitter and Netflix, using devices such as routers and web­cams to carry out its assault. To mitigate the impact of botnet-driven attacks, implementing robust anti­virus soft­ware, such as F-Secure Total, is essential.

Differences between DoS and DDoS attacks

Although DoS and DDoS attacks share a similar purpose, there are notable differences between them:

  • Amount of traffic: a DDoS attack can send significantly more traffic to its target compared to a simpler DoS attack, which is typically carried out by a single user and device.

  • Extent of damage: the larger volume of traffic in a DDoS attack results in a greater impact on the target. In extreme cases, a massive DDoS attack can even cause physical damage, such as harming the server hardware.

  • Protection and detection: DDoS attacks are harder to trace because they originate from multiple sources. This distributed nature, combined with the sheer volume of traffic, also makes them more difficult to defend against compared to DoS attacks.

Traditional denial of service attacks are on the rise due to the increased accessibility of tools designed to execute them. These tools often feature user-friendly inter­faces, enabling individuals with minimal technical expertise to flood servers with traffic.

How DDoS attacks work

DDoS attacks work by inundating a targeted system with a massive amount of traffic from multiple sources, making it challenging for the system to differentiate between legitimate and malicious traffic. This flood of requests can cause the system to slow down, become unresponsive, or even crash entirely. Network layer attacks, for instance, are characterized by high traffic volumes and target the network infra­structure itself.

DDoS attacks are generally categorized into three types: volumetric attacks, application-layer attacks, and protocol attacks.

Volumetric attacks

A volumetric DDoS attack aims to consume as much band­width with traffic as possible. The amount of traffic can be hundreds of giga­bytes or even tera­bytes every second. The goal of such an attack is to cause congestion on the targeted service or web­site. How­ever, volumetric attacks can also act as a way to hide other types of suspicious activity.

Application layer attacks

Application layer attacks (also known as layer 7 attacks) target specific points in the application layer. What makes an application layer attack different is that it’s not targeted at the system as a whole but a specific point in it.

Protocol attacks

Whereas an application layer attack takes place in the so-called 7th layer, a protocol attack — one of the primary types of DDoS attacks — targets layers 3 and 4, which are the target server’s net­working layers. Protocol attacks aim to exhaust server resources, like firewalls, and disrupt communication.

Reasons for DDoS attacks

DDoS attacks can be motivated by a variety of reasons, including:

  • Extortion: attackers may use DDoS attacks to extort money from an organization by threatening to disrupt their online services unless a ransom is paid.

  • Hacktivism: hacktivists often deploy DDoS attacks to make political or social statements, targeting organizations they oppose to disrupt their operations.

  • Business competition: rival businesses may use DDoS attacks to sabotage a competitor’s online services, seeking to gain an unfair advantage in the market.

  • Cyber vandalism: some individuals or groups launch DDoS attacks simply to create chaos and disruption online, often with­out financial or political motives.

DDoS-for-hire

DDoS-for-hire platforms, known as booter or stresser services, offer DDoS attacks for a fee, allowing any­one to target web­sites, net­works, or applications with­out technical expertise. Operating on a subscription model, customers can select attack types, durations, and intensities.

These services pose serious risks to businesses, causing down­time, lost revenue, and reputational harm. Often hosted on the dark web, they are difficult for law enforcement to track and shut down.

To counter these threats, organizations should deploy robust DDoS protection that detects and mitigates attacks in real time. Monitoring for suspicious activity and reporting it to authorities can further strengthen defenses against these malicious platforms.

DDoS attack detection and response

Detecting and responding to a DDoS attack requires a combination of technical and non-technical measures. Common signs of a DDoS attack include:

  • Unusual traffic patterns: a sudden, unexpected spike in traffic can signal a potential DDoS attack.

  • Slow or unresponsive systems: if a system becomes unusually slow or unresponsive, it may be under attack.

  • Error messages: alerts or error messages from security systems may indicate a DDoS attack is in progress.

To effectively respond to a DDoS attack, organizations should have an incident response plan that includes:

  • Activating DDoS protection solutions: implementing solutions that can detect and mitigate attacks is critical.

  • Notifying stake­holders: keeping customers, employees, and other stake­holders informed about the attack and response efforts is essential.

  • Collaborating with law enforcement: coordinating with law enforcement can help identify and prosecute the attackers.

DDoS mitigation and protection

DDoS mitigation is essential for protecting your online presence against cyber threats. A robust DDoS protection solution can detect and mitigate attacks in real time, ensuring legitimate traffic flows uninter­rupted. Key techniques include traffic filtering, rate limiting, and IP blocking, often implemented with tools like fire­walls, intrusion detection systems, and content delivery networks (CDNs).

To effectively mitigate DDoS attacks, organizations should use a multi-layered defense strategy, including:

  • Network infrastructure protection: secure devices like routers and switches.

  • Application layer protection: shield web applications from specific vulnerabilities.

  • Traffic filtering: block malicious traffic to prevent system overload.

  • Rate limiting: control traffic flow to avoid excessive load.

  • IP blocking: block traffic from malicious IP addresses to cut off attack traffic at its source.

An incident response plan is also crucial, outlining procedures to detect and mitigate attacks and minimize their impact. By implementing these measures, organizations can safe­guard against DDoS attacks and ensure business continuity.

total app on different devices

Stay protected from DDoS bots with F‑Secure Total

DDoS bots are malware, just like any other, so it’s important to take action to defend against them. F‑Secure Total makes this easy, helping you to secure your digital moments in a brilliantly simple way.

  • Award-winning antivirus and malware protection

  • Online browsing, banking, and shopping protection

  • 24/7 online identity and data breach monitoring

  • Unlimited VPN service to safe­guard your privacy

  • Password manager with private data protection

Read more about Total